Zombie spam
If you've heard me use the term 'zombie spam'. Well, here's a great example of it (just checked my spam log): [Thu Sep 28 18:47:47 2017 GMT] "Tasha" <Tashadsm@bestel.com.mx> [189.204.161.48, bestel....
Forum Discussion
Tasha likes you! :p
The Stock Zombie is back, using open relays from Vietnam, Indonesia, India and Brazil:
[Thu Oct 19 07:11:33 2017 GMT] "Gregory Fischer" <Fischervsei@static.vnpt.vn> [14.171.160.232, vnpt.vn, xxxxxxxxNxx], Subject: Seriously... What if this company went tenfold by tomorrow? [Thu Oct 19 07:20:39 2017 GMT] "Peggy Hurst" <Hurstiolve@cc-kft.com> [103.19.109.112, netciti.co.id, xxxxxxxxNxx], Subject: Seriously... What if this company went tenfold by tomorrow? [Thu Oct 19 07:27:07 2017 GMT] "Constance Berg" <Bergak@ezfreecoupons.com> [103.233.116.142, upinfomax.in, xxxxxxxxNxx], Subject: Seriously... What if this company went tenfold by tomorrow? [Thu Oct 19 08:29:05 2017 GMT] "Ila Sloan" <Sloanklwhs@static.vnpt.vn> [222.254.238.121, vnpt.vn, xxxxxxxxNxx], Subject: Seriously... What if this company went tenfold by tomorrow? [Thu Oct 19 09:48:13 2017 GMT] "Anderson Calderon" <Calderonvumz@static.vnpt.vn> [14.237.11.80, vnpt.vn, xxxxxxxxNxx], Subject: Seriously... What if this company went tenfold by tomorrow? [Thu Oct 19 10:14:07 2017 GMT] "Nelson Mcmillan" <Mcmillanmxdsj@ondernemersgala.nl> [189.60.86.139, virtua.com.br, xxxxxxxxNxx], Subject: Seriously... What if this company went tenfold by tomorrow?
Hate these guys.
Overall spam count for Nov: 1738, mostly from China, which is basically one massive spamhaus.
Edit: I should point out that this is what my trap caught. Only 9 actually made it through to my junk box, which also happens to illustrate why I wrote the trap to begin with.
MarkJFine wrote:Edit: I should point out that this is what my trap caught. Only 9 actually made it through to my junk box, which also happens to illustrate why I wrote the trap to begin with.
Only nine. SMH. That would be SOOOO nice. Seventy one so far today for me. LOL. And I've given up blocking them, as MSN can only block so many addresses and/or domains.
My only option? Chaging my main email from my MSN adress to Gmail, as I get ZERO junk mail at my Gmail address, at least at this point.
I've had my main email, run on a semi-private server since before 2000, and have used it for every bloody subscription signup and login imaginable since. Not to mention that the web site it used to be associated with used to get hit by scrapers and I'd never protected my DNS record (to so now would be ridiculously ineffective), although my email is linked to a specific domain using an SPF record. Some stupid email systems don't check the SPF record to see if a faked email using my address follows the SPF record and sends me a bounce message anyway - I count those as part of the total.
I set up the system in the email to do several things:
1. Only allow whitelisted email addresses thru to the inbox, everything else should initially be considered spam.2. If it's using my email address and isn't from my email server's IP, it's automatically spam and goes to /dev/nul.
3. They run SpamAssassin on every email, which leaves the tags of each test in the email header.
I don't use SA's ranking system. If it contains any of the following, it's automatically spam and should be sent to /dev/nul - especially RDNS_NONE, which basically means from an open relay (99% of them):
URIBL_ABUSE_SURBL, URIBL_DBL_SPAM, URIBL_INV, URIBL_SBL, URIBL_SBL_A, URIBL_DBL_ABUSE_SPAM, URIBL_DBL_ABUSE_REDIR, RCVD_HELO_IP_MISMATCH, HELO_DYNAMIC_IPADDR, HELO_DYNAMIC_IPADDR2, HELO_DYNAMIC_SPLIT_IP, RDNS_NONE, RDNS_DYNAMIC, URI_ONLY_MSGID_MALF, BOUNCE_MESSAGE
4. Barring those, I also check the IP address my server received it from, which is really hard to spoof, and I check it against a mini DNS lookup of sorts that I've been building since April. It converts the IP to a parent domain (that you see in the graphic). If the parent domain is on a special block list send it directly to /dev/nul.5. Last test, if everything else passes, I check a list of email address partials (some include before the '@', some include the faked domain). If any part of the 'From:' matches anything on the list - /dev/nul.
All of these get logged using the format you've seen earlier so I can collect statistics on how the system is doing and can routinely update the mini-DNS if the IP results in a domain it doesn't know about yet. That mini-DNS has grown to a 99k text file, containing a regex lookup of IP ranges, abuse email, domain, and a comment. Was originally going to have the system automatically route the email to the abuse email address, but I found that just makes things worse in many instances.
Everything else goes to junk just in case someone's used a new email address not on the whitelist, which happens a lot, but some still sneak thru. Those are usually the "dear beneficiary" or some of the zombies made to look like they came from your printer/voice mail, or the zombies where the 'From' includes the name of someone you know - how they do that is a complete mystery to me. That last one usually contains a link luring you to an infected site, which SA should detect and trigger one of the URI flags, but half the time it doesn't and they scoot through.
Nonetheless, as you said, only 9 out of over 1700 in a month... I'd say it's pretty effective.
